Four cyber security experts have delivered to the US Congress a unanimous opinion: Americans shouldn’t use HealthCare.gov, given its security issues.

David Kennedy, CEO of information security firm TrustedSEC and former CSO of Diebold, was one of those who testified on Tuesday before a House Science, Space, and Technology committee hearing on security concerns surrounding the woebegone, very large attack target that is the government’s new healthcare website.

The committee wanted answers to this question: “Is my data on HealthCare.gov secure?”

As FoxNews.com reported, Kennedy testified that the answer is No, given that the site’s pwnage is inevitable:

Hackers are definitely after it. ... And if I had to guess, based on what I can see ... I would say the website is either hacked already or will be soon.

Kennedy told FoxNews.com that his firm has detected a large number of SQL injection attacks against the site, which indicates “a large amount” of hacking attempts:

Based on the exposures that I identified, and many that I haven’t published due to the criticality of exposures, if a hacker wanted access to the site or sensitive information, they could get it.

Also testifying was Fred Chang, a computer science professor at Southern Methodist University and former research director for the NSA; Avi Rubin, a computer science professor at Johns Hopkins University; and Morgan Wright, CEO of Crowd Sourced Investigations, cybersecurity analyst for Fox News and Fox Business, and a former senior law enforcement advisor to the Republican National Convention.

Three of the four testified that they believe it’s best to shut HealthCare.gov down completely.

The lone voice of dissent on that point was Rubin, who said he doesn’t have enough information to decide, but that a security review of the site is definitely in order.

I would need to know whether there are inherent flaws vs. superficial problems that can be fixed. If they can be fixed, that’s better than shutting it down.

Kennedy said that given what he’s been able to suss out from public record and reconnaissance of the site, he could break into its data stores within two days and steal the personal information of people who’ve used the site.

As Network World’s Tim Greene reports, Kennedy demonstrated that he could redirect people trying to access the site to a lookalike site that could push malware that would allow attackers to hijack people’s devices.

We can actually enable their web cam, monitor their web cam, listen to their microphone, steal passwords. ... Anything that they do on their computer we now have full access to.

CBS News reports that Henry Chao, the project manager responsible for building HealthCare.gov, gave 9 hours of closed-door testimony to the House Oversight Committee in advance of this week’s hearing.

A CBS News video clip put up by Townhall.gov shows the heavily redacted security report that Chao claims he never saw.

Chao told the House Oversight Committee that his team told him that “there were no ‘high’ findings” – “high” referring to government classification of “high risk”, which designates that a vulnerability can be expected to have severe or catastrophic adverse effects on organisational operations, assets or individuals.

It was Chao who recommended it was safe to launch the site at the start of October.

When asked if he found it surprising that he hadn’t seen the memo advising about high-risk vulnerabilities on HealthCare.gov – a highly redacted version of which was shown on CBS News’s report – he said that yes, of course he was surprised:

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.

25 comments on “Security pros: If Healthcare.gov hasn’t been hacked already, it will be soon”

If they did shut it down, they’d have to do it smartly, putting up a message that is easy to understand. Otherwise, visitors will assume they’re doing something wrong and will try harder, maybe ending up on one of the lookalike scam sites instead.

As someone who sits in SOC and watches traffic for multiple large and small clients, unless they have some good captures showing very targeted and customized attempts, a lot of that ‘SQL attack’ is just the usual collection of scanners and automated probing that hits the worlds websites every day.
That said, yeah its a great target and it will be hit likely thousands of times a day. Eventually someone is going to get through. I’d be interested in what are they doing to both monitor and detect things beyond the front door ?

This is what happens when you give a big project like this to a friend of the first lady instead of hiring the best company for the job. Can you believe they didn’t even take multiple bids? They gave the job to a Canadian company. They got to make the only bid. That alone seems criminal.

You’re seriously going to repost stuff from FOX News like this is an unbiased representation of the facts? Do you understand that saying that a guy connected with Diebold, a guy connected with Southern Methodist, and a guy connected with FOX News say that the site should be shut down is no more insightful than saying that the extreme right-wing in the United States don’t want public health care.

Wow – let’s see… Reports from Fox News and Townhall (both conservative propaganda media machines) make unsubstantiated claims against a website made for a law they adamantly oppose… Citing boasts from a former exec of Diebold (a company that has plenty of security issues on it’s own). Yeah, sorry – the lack of credibility here doesn’t impress.

Hmmm… that’s funny, because I thought every website is just a hack away from being on the 10:00 News… some more important that this, like maybe a nuclear power generation plant or that foul smelling raw sewage treatment plant down the street… oh yeah, I forgot this website is for “OBAMACare”…

I think you are overestimating the importance of a nuclear power station websites to the operation of power stations and underestimating the importance of a website to the operation of a web-based healthcare marketplace.

Nope… just stating a fact of how easy it is to access one from the Internet… in case you haven’t heard, whether it’s important or not people will tend to “freakout” over something like that… do you think?

Sorry but INFOSEC is as much a corporate welfare boondoggle in DC as anything. It appears that Akamai is handling the web portion of the site and I would think that they would set up an APP Firewall to block the SQL Injections. Also, there is a process to make a site public in the Federal Government that includes vulnerability scans. I agree the site is a great target for hackers to put a feather in their cap but the fact is, there are two types of systems in IT. Compromised and about-to-get-compromised. I have no doubt that the healthcare.gov site could be compromised but there should be processes and procedures for detection of such attacks. I do get concerned with the high number of partners the site interacts with as they are only as secure as their partners are.

INFOSEC is a concern but having worked as a Federal IT Contractor and Employee I would be surprised to see these were not planned for or mitigated prior to ATO. If this was rushed, then it could be a catastrophe. .

While their concerns are legit, wading through the FUD in the INFOSEC world can be exasperating, hopefully if there are real concerns, they are being dealt with now.

A very depressing part of this whole story is that the feds think they’ve only been attacked sixteen times since the site went live. Maybe sixteen times an hour, 24×7 for real attacks and not just probing. But certainly not a total of sixteen times. Not very much real-world awareness of the threats there.

The only thing that is more depressing than that is the sniping going on here rather than discussing the facts.

And if automated probes can populate the search engine field, then it certainly is not getting dropped prior to hitting the application, which is a significant issue.